Share this:

About The Author

Melanie has worked at IT Governance for over four years, commenting on information security topics that impact businesses throughout the UK, as well as on many other issues.

7 Comments

Andy Crow13th January 2017

Hi Melanie

I have recently passed the Practitioners course with IT Governance which was equally comprehensive and informative. I have since been in many meetings and have quoted the importance of processing “EU residents” data. I have however been alerted by a UK barrister that the law at no point mentions “resident” or “citizen ” throughout the 99 Articles, only “Data Subjects” within the EU union. This being the case, everybody of any nationality should have their personal data protected if they are on EU soil, and therefore an even bigger issue for organisations.

Richard18th January 2017

Yes, this is indeed true, and you can find this fact supported by the recitals. Whilst the recitals have no independent legal value, they do often provide further detail and context. In case, look at recital (14) “The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data”.

This means if there is a breach of data from an EU based controller or processor and it includes personal data of non EU citizens they may indeed be able to exercise their rights with the relevant supervisory authority.

Now, this is a good reason for an organisation to identify and understand the risks associated with processing personal data. In this case, mapping out what personal information is collected, where it is stored, etc. A good Data Protection Impact Assessment (DPIA) should help identify such issues and the associated risk mitigation.

ITG has a toolkit which includes a DPIA template which will help organisations identify such risks.

CP16th January 2017

How do you deal with the fact that the UK has not consulted on its implementation of the GDPR yet and the fact there are 50 Articles where Member States can have limited flexibility to implement its provisions?

Richard19th January 2017

You are right there is limited flexibility for member states to make changes but this only applies to a few Articles (e.g. Article 8 Member allows member states to lower the age of consent to 13 years (from the default 16 years); and Article 9 allows member states to introduce further conditions with regards to special category data but this only applies to the processing of genetic, biometric and data concerning health)

A key premise of the regulation is its consistent application across the Union. This is dealt with in part by Article 63 which sets out the Consistency mechanism. In addition, the introduction of the European Data Protection Board (Article 70) has amongst its tasks to monitor and ensure the correct application of the Regulation. Whilst this should mean changes are minimal, it is clear that organisations should review the guidance and codes of practice which are likely to emerge from supervisory bodies over time.

David Supple16th January 2017

Indeed Andy, you are right – with respects to nationality:

1. EU law applies to the processing of personal data regardless of whether the individuals affected are EU citizens or not

With respects to geography and the relationship to the controller:

2. It is irrelevant if the individual affected is physically present in the EU or not. The trigger for application of the law attaches to the status of the controller and its actions and not to the individuals affected.

Nicola18th January 2017

The GDPR makes no distinction between nationality or residency status of individuals and whilst there may be no mention of ‘resident’ or ‘citizen’ in the Articles, the 173 Recitals will be extremely important in interpretation, especiallly by the CJEU, and provide the meat on the bones of the articles – recitals 23 & 24 and Article 2 refer to data subjects who “are in the Union”. Recital 141 gives a further hint in respect of the Member State of “habitual residence” in connection with lodging a complaint with a supervisory authority….
This will be something that the UK is going to have to work out when it leaves the EU as the extraterritorial reach will impact on it as a third country which will need to seek adequacy to ensure that transfers of personal data to it can continue; data controllers will then need to look to appoint representatives in a Member State and determine which is their lead supervisory authority as far as the processing of personal data of Data subjects who “are in the Union” are concerned as that will no longer be (just) the ICO. In a perverse twist, UK residents may find, after the split, that their personal data is guaranteed better protection and they have stronger rights if it is processed in the newest EU Member State than processed in the UK itself.

I think we are overly worried about consent, there are situations where we need consent but processing as part of fulfilling a contract does not need consent. The main requirement (the most important) in my view is to provide notice of proposed processing, the Privacy Notice. Sadly the Privacy Notice is set to be burdened with lots of technical jargon about data retention and the conditions for fair processing.